CVE-2021-37102 — Command Injection in Huawei Fusioncompute

CWE-77 — Command Injection3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 29.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Huawei Fusioncompute

Timeline

PublishedNov 23

Latest updateNov 24

Description

There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system. Affected product versions include: FusionCompute 6.0.0, 6.3.0, 6.3.1, 6.5.0, 6.5.1, 8.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5huawei/fusioncompute6.0.0,6.3.0,6.3.1,6.5.0,6.5.1,8.0.0

▶NVDhuawei/fusioncompute6 versions+5

🔴Vulnerability Details

GHSA

GHSA-gpc3-vjh4-7wm2: There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file↗2021-11-24

▶

CVEList

CVE-2021-37102: There is a command injection vulnerability in CMA service module of FusionCompute product when processing the default certificate file↗2021-11-23

▶